Privacy Policy

Support or Communication: If you contact us for support or feedback (e.g., via email or an in-app chat using our support tool, such as Intercom), you may provide us with your email address, name, or details about your issue. We will use this information solely to assist you and will not retain it longer than necessary.

Surveys or Beta Programs: We might offer optional user surveys, beta testing sign-ups, or referral programs where you can choose to provide an email or other contact info. Participation in these is voluntary, and any data provided will be used only for the stated purpose (e.g., to send you beta access or gather feedback).

Device and Technical Information: We may collect device identifiers and technical information such as your device model, operating system type and version, browser type (for web usage), and device language settings. For mobile app users, this might include an anonymous device ID or push notification token (which does not reveal your identity but helps deliver notifications).

IP Address: Our servers (or third-party providers like AWS) may temporarily receive your device’s IP address when you interact with the Services. However, we do not log or store IP addresses linked to your usage in a personally identifiable way. Any IP processing is transient – for example, to route your request to the nearest server or apply geographic controls (such as compliance with regional restrictions). We do not use IP for tracking individual users, and we take measures to anonymize or discard IP data promptly after use.

Usage Data: We collect information on how you interact with walllet, such as the features you use, pages or screens viewed, actions taken (e.g., initiated a swap or connected to a dApp), and timestamps of activities. This information is generally collected in aggregate or anonymized form and helps us understand usage patterns to improve the Service. For instance, we might track that “Feature X was used by 30% of active users this week” without knowing who those users are. We may use analytics tools (like Google Analytics for web or similar analytics for app) that provide us with this aggregated usage data. Such tools might use cookies or mobile SDKs – please see our Cookie Policy for details on analytics cookies and how to opt-out.

Log Information: Our servers may automatically maintain logs of certain events and errors. These logs can include the above device information, usage events, and error reports (which help us troubleshoot problems). They do not deliberately contain personal user identity data, but may include technical identifiers (like a wallet address or device ID if relevant to the log). We protect these logs and only retain them for short periods unless needed for security analysis.

To Provide the Core Service: We process technical and usage data to deliver walllet’s functionality to you. For example, your device data and public wallet address are used to connect you to the appropriate blockchain node providers (e.g., Alchemy) to fetch your balances and send your transactions. If you initiate a blockchain transaction through walllet, we use necessary information (your account address, the transaction details) to facilitate that request via our Services. Essentially, without processing some device and blockchain info, we cannot provide a functioning wallet service. This processing is based on fulfilling our contractual obligation to you (the Terms of Service).

Security and Fraud Prevention: We may use certain data (like IP region or device characteristics) to enhance the security of the Service. For instance, we might detect suspicious activity (like a high volume of failed transactions or an attempt to use our API in an abusive manner) and use logs to investigate or prevent malicious actions. Also, to comply with international sanctions and legal requirements, we might use IP-derived region data to block access from certain prohibited jurisdictions (though we do not store that data long-term). Our goal is to minimize personal data usage while still protecting the network and users. Security-related processing is based on our legitimate interest in maintaining a safe platform and complying with laws.

Service Improvement and Analytics (consent-based in applicable regions): We use analytics and attribution tools—such as Google Analytics 4 (GA4), PostHog, and, where used, AppsFlyer web attribution—to understand feature usage, measure performance, improve UX, and combat fraud/abuse. We configure GA4 with IP masking enabled and rely on aggregated and/or pseudonymized reporting. In EEA/UK, non-essential analytics/attribution only run after you opt in via our cookie banner. Where permissible, our legal basis is legitimate interests in improving and securing the Service.

Customer Support: If you reach out to us with a question or issue, we will use any contact information and details you provided to respond. For example, if you email support, we use your email to reply and the content of your message to troubleshoot and assist. Support communications may be stored (including via third-party support tools like Intercom or email services) so we have context on your issue and can follow up appropriately. We keep support data confidential and only accessible to authorized personnel. Using your info for support is based on your consent (implied by you contacting us and expecting a reply) or on our legitimate interest in providing effective customer service.

Transaction Facilitation: When you use walllet to initiate a transaction, we will process the necessary data to connect you to the third-party service. In these cases, we act mainly as a pass-through or facilitator and do not store the personal data you may give to those services, except as needed to link the service to your app (e.g., a reference ID to return you to walllet once the third-party process is done). We use your data in this context simply to enable the features you request.

Legal Compliance: Although we do not collect much personal data, we may process and retain information as required by law or regulation. For example, if we were obligated to retain certain logs for a period due to financial regulations, or to comply with a law enforcement request, we would do so. Additionally, we might use data to enforce our Terms of Service (e.g., investigating misuse or fraud). Processing for compliance is based on legal obligations or our legitimate interest in enforcing our rights.

Communications: We presently do not send marketing communications (and we don’t have emails for most users). If in the future you opt into a newsletter or updates, we would use your provided contact to send you relevant news about walllet. You will have the ability to opt-out. Transactional or service messages (like important security alerts or policy updates) may be sent if needed to the contact information you provided (if any).

Essential Cookies: These are necessary for the website’s core functionality and cannot be turned off in our system. For example, they may be used to load the site balance data or to remember that you have logged in (if applicable). They do not store personally identifiable information and are typically session-based.

Analytics Cookies: We use these to understand how visitors engage with our site, so we can enhance user experience. For instance, Google Analytics cookies allow us to count visits, see traffic sources, and understand which pages are most popular. The data collected is aggregated and anonymized; we cannot directly identify you from analytics cookies. These cookies are only placed if you consent (via the cookie banner settings). If you opt out, your site visit will not be included in our analytics.

Functionality Cookies: These cookies enable enhanced features and personalization on the site. For example, if our site has a feature to remember your preferences (like language selection or dark mode), a cookie may store that choice. They may be set by us or third-party providers whose services we’ve added. Disabling these may affect site functionality or your user experience.

Advertising/Tracking Cookies:Currently, walllet does not run third-party ads on our site. However, if in future we engage in any marketing or partner programs, certain cookies might be used to track referrals or to provide relevant advertising on other platforms. These would track browsing habits to build an interest profile. As of the latest update, we have no such cookies active. If we introduce them, we will update our Cookie Policy and obtain appropriate consent.

Service Providers: We use reputable third-party companies to facilitate our Services – for example, cloud hosting (AWS), blockchain node providers (Alchemy), Account abstraction contract, Paymaster and bundler provider (ZeroDev), Analytics and attribution services (Google Analytics 4, PostHog, and AppsFlyer), customer support platforms (Intercom), and others mentioned in our specs. These third parties may process certain data on our behalf as “data processors.” We only share with them the information necessary for them to perform their function. For instance, our cloud hosting will inevitably handle any data that passes through our app/website servers; our analytics provider will receive usage data and possibly your IP in the course of providing analytics. Each of these providers is bound by contract to protect your data and to use it only for the purpose of providing their services to us. Where feasible, we enable privacy-friendly settings (like IP anonymization in Google Analytics). A list of key subprocessors includes:

Amazon Web Services (AWS): Hosts our infrastructure and databases. Data stored on AWS could include server logs and any information you input on our site. AWS adheres to high security standards.

PostHog (Product Analytics): Processes pseudonymized usage events (e.g., feature usage) to help us improve UX and performance; runs subject to consent where required.

AppsFlyer (Attribution & Anti-Fraud): Where used for web/app attribution, processes install/referral and device identifiers (e.g., IDFA/GAID) subject to platform settings and consent where required.

Blockchain API Providers (e.g., Alchemy, Moralis): When the app queries blockchain data or submits a transaction, it may communicate with a third-party node provider. These providers might log requests for performance and abuse monitoring, which could incidentally include your IP or wallet address. Such data is generally used to provide the service (node connectivity) and troubleshoot. They do not get personal info like name or user accounts from us.

ZeroDev (Account Abstraction service): If walllet uses ZeroDev for bundling transactions or sponsoring gas fees, certain transaction data will pass through ZeroDev’s systems. They may log transactions or addresses for security and analytics. We ensure no extra personal data is attached to those requests beyond what’s needed (essentially blockchain transaction metadata).

Intercom (Customer Support and Chat): If you use a support chat or provide feedback in-app, Intercom might process your messages and any contact info you provide. Intercom will also gather basic device info to provide context (like app version, OS) and possibly assign you an anonymous identifier. They act as our processor to manage support tickets.

CoinMarketCap API: If we fetch token prices, your app might directly request price data from CoinMarketCap or via our servers. This typically doesn’t involve personal data, but the API provider may see your app’s request (with IP) to their service. They use it for rate limiting and performance.

Third-Party Services You Use via walllet: As noted, if you explicitly use a feature that relies on a third party (like on-ramp KYC or a specific dApp), then you are choosing to share data with that third party. For example, if you initiate an on-ramp purchase, you will likely be prompted by the provider (say, Transak or similar) to enter personal information for KYC. That information does not go through our servers; it goes directly to the provider via their widget or site. In such cases, the third party’s privacy policy applies to the data you give them. We do not receive your KYC details – at most, we might get a confirmation that you passed verification or a transaction confirmation. Another example: if you connect your wallet to a third-party dApp through our app’s browser, any data you provide to that dApp (like signing a message with your wallet address) is between you and that dApp. We facilitate the connection but do not intercept or store the data exchanged. However, note that by virtue of connecting, the dApp will see your wallet public address and any info you provide to it. Always review third-party terms and privacy notices when engaging. walllet’s role is simply intermediary in those interactions, not a controller of the data you share with third parties.

Affiliates: PrimeUp LTD may share data with its affiliates (for instance, if we establish subsidiaries or related entities in other jurisdictions) for business and operational purposes. Any affiliate will uphold the same privacy protections as outlined in this Policy. For example, if we have a support team operating under a related company, they might access support tickets to assist you. All affiliates are bound to protect your data to the same degree.

Legal and Compliance: We may disclose information about you if required to do so by law or legal process, or if we have a good faith belief that such disclosure is reasonably necessary to (i) comply with a legal obligation (e.g., a subpoena, court order, or regulatory demand), (ii) enforce our Terms of Service or other agreements, (iii) address fraud, security, or technical issues, or (iv) protect our rights, property, and safety or that of our users or the public. We will aim to notify you of requests for your data (for example, a law enforcement request) unless we are legally prohibited from doing so. Keep in mind, however, our ability to disclose is limited by the fact we have very little personal data in most cases. If authorities asked us for user information, often we would have nothing beyond possibly an IP log or transaction hash, since we typically don’t collect identity info.

Business Transfers: In the event that PrimeUp LTD or walllet is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your data may be transferred as part of that transaction. We would ensure the acquiring entity or new provider is bound by terms that are at least as protective of your privacy as this Policy. You would be notified via the app or website of any change in data handling ownership. For example, if another company acquires walllet, the user information (however limited) we have would likely be one of the transferred assets, but the commitments of this Policy would continue to apply to your data (unless you’re notified of changes and given a chance to opt-out or delete your data).

With Your Consent: In scenarios not covered above, we will ask for your consent before sharing your personal data with third parties. For instance, if we ever want to publish a user testimonial or share your feedback publicly with attribution, we’d seek your explicit permission.

European Union Users: If you are in the EEA, UK, or Switzerland, and we transfer personal data to countries not deemed “adequate” by the European Commission (such as the US), we rely on approved transfer mechanisms like the European Commission’s Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement, as applicable. These contractual obligations require our service providers to handle EEA personal data in compliance with EU data protection standards. We also assess, on a case-by-case basis, whether additional technical or organizational measures are needed to ensure equivalent protection. For instance, when possible we use encryption and pseudonymization to protect data during transfer.

Other Regions: For users in other regions with cross-border data transfer requirements (like Brazil or Canada), we similarly ensure compliance with local law by implementing necessary contractual and security measures.

Analytics and Tracking: We use Google Analytics on our website; Google may set cookies and collect usage data (possibly including IP, though we enable anonymization when possible). Google’s use of the data is governed by the Google Analytics terms and Google’s privacy policy. We only see aggregated results. You can opt-out of Google Analytics by using browser opt-out tools or adjusting cookie settings. Similarly, if we use an analytics SDK in the app (like Firebase Analytics or Amplitude), those providers might process data – they typically have their own privacy commitments and do not use data except to provide analytics to us.

ZeroDev / Blockchain Providers: If transaction bundling or gas sponsoring is done via a service like ZeroDev, your transaction data passes through them. They might have their own logging and data policy, but those interactions mainly involve your public blockchain data and are done to execute your requested transaction. They do not get personal info like your name from walllet, only the transaction content. Nonetheless, using the service implies acceptance of their terms (if any). We act as a technical intermediary and do not hand them additional personal data.

External Links: Our site and communications may include links to external websites (for example, a link to our community forum, blog, or documentation on another domain). If you follow these links, this Policy no longer applies, and whatever data you provide or is collected by that external site is subject to their policies. We are not responsible for the content or data practices of external sites.

Right of Access: You have the right to request that we provide you with a copy of the personal data we hold about you, and to information about how we process it. This is often called a Subject Access Request. We will provide the data in a commonly used format, and explain the categories of data, purposes of processing, and any parties it’s been shared with. Given our service design, you might find that aside from maybe an email (if you contacted support) or some device logs, we have very little identifying info on you. Regardless, we will search our systems by the information you provide (e.g., your email or device ID) to gather what exists.

Right to Rectification: If you believe that any personal data we have about you is incorrect or incomplete, you have the right to request that we correct it. For example, if you provided an email and you want to update it, or if a record is wrong. We’ll make corrections as needed. However, since we don’t maintain user profiles, this is rarely an issue.

Right to Deletion (Erasure): You can request that we delete the personal data we hold about you. This is sometimes known as the “right to be forgotten.” We will honor such requests to the extent required by law. For walllet, if you want to be “forgotten,” we would delete contact info (like support emails) and purge any logs that could be linked to you. Note that we cannot delete public blockchain data (obviously, that is on the blockchain), but that data isn’t stored by us off-chain in personal form. Also, if you used an on-ramp through a third party, you’d have to request deletion from that third party separately. We may retain certain information if necessary for legal obligations or legitimate interests (for example, we might need to keep a record of a support request resolution to defend against future disputes, or retain logs for security for a short period), but we’ll inform you if so. In general, our aim is to permanently delete or anonymize your data upon request. Deleting the app from your device does not automatically notify us, since we often don’t know who you are; if you want us to remove any residual data, please contact us.

Right to Restrict Processing: In certain circumstances, you can ask us to restrict (pause) processing of your data. For instance, if you contest the accuracy of data or the lawfulness of processing, we can mark it as restricted until resolved. Given our minimal processing, this right might be exercised by, say, opting out of analytics (which restricts us from processing your usage data beyond core service). We respect such choices via our cookie settings and other opt-outs.

Right to Object: You have the right to object to processing of your data in some cases, particularly if we’re processing it under legitimate interests. For example, you can object to using your data for direct marketing (note: we currently do no direct marketing). If you object to any analytics or other processing, let us know – if it’s not something you can self-manage (like disabling cookies), we will stop processing your data for that purpose unless we have compelling legitimate grounds to continue.

Right to Data Portability: You can request a copy of your personal data in a machine-readable format, and/or for us to transmit it to another service where technically feasible. Honestly, because we don’t have a user account with profile data, there’s not much to port. The most “portable” data is likely your support history or similar. Blockchain data is already portable by nature (your wallet addresses can be used in other wallets freely). Still, if you need a structured export of whatever data we have, we will provide it in CSV/JSON or similar formats.

Right to Withdraw Consent: In scenarios where we rely on your consent to process data (e.g., for optional cookies or a newsletter), you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing we did based on consent before withdrawal. For example, if you gave consent for analytics cookies but later change your mind, you can update your cookie preferences (via our website footer “Cookie Preferences” link) and we will stop analytics tracking going forward. For the mobile app, if we ever prompt for a permission or data use (like sending diagnostic data) and you consent, you can disable it later in settings.

Right not to be subject to Automated Decisions: walllet does not engage in any fully automated decision-making (without human involvement) that produces legal or similarly significant effects on users. Therefore, this right is not applicable in our context. Rest assured, no AI or algorithm is making determinations about you individually in our system.

Account-related data: Since walllet doesn’t have traditional accounts, we have no ongoing profile to retain. If you provided an email for communication, we keep that communication history as long as needed to address your inquiry or maintain a support record. For instance, an email you sent to support might be retained in our support inbox for future reference (so if you email again, we have context). We will periodically review and purge old support tickets that are no longer needed. If you want your support emails deleted sooner, you can request that, and we will scrub or anonymize them in our systems unless required to keep them.

Technical logs: Our server logs that contain IP addresses and usage events are generally kept for a short duration, typically 30 days or less, unless needed longer for security. We implement rolling deletion of logs – e.g., logs older than 30 days are automatically deleted – to limit storage of potentially identifying info. Some security-related logs (for instance, logs of important system events or errors) might be kept up to 90 days for forensic purposes, but these are protected and only used if investigating incidents.

Analytics data: Data in Google Analytics or similar systems is usually kept in aggregate form. Google Analytics retains user-level data (associated with cookies or device identifiers) for a set period (we configure it to the shortest practical period, e.g., 14 months or less). After that, it’s deleted automatically. Aggregated reports (which have no personal identifiers) may be kept indefinitely. If you opt out of analytics, new data won’t be collected.

Blockchain data caching: Sometimes, to improve performance, the app or our backend might cache certain blockchain data (like the list of tokens in your wallet or recent transactions). These caches are usually short-term and tied to your wallet address, not your identity. Cache data might be stored for convenience but is not personal data. Regardless, caches are regularly refreshed and old data removed.

Cookies: Cookies have varying lifespans. Some (like session cookies) expire when you close your browser, others (like a preference cookie or Google Analytics cookie) may persist for months or a couple of years. Our Cookie Policy outlines cookie durations. You can clear cookies at any time via your browser, which effectively ‘deletes’ that data from our site’s perspective.

Legal retention: If we are required by law to retain certain data for a specified period, we will do so. For example, if financial regulations require retention of transaction records or if we must keep records for tax or accounting purposes. Again, because we don’t have user financial accounts, this is minimal. Possibly, if we ever have to retain data related to sanctions compliance (e.g., blocking a certain region), we might keep evidence of compliance. Also, if involved in a legal dispute, we may retain relevant info until it is resolved.

Encryption: All network communications between walllet (app or website) and our servers or third-party APIs are encrypted via HTTPS/TLS. This prevents eavesdropping on data in transit. Additionally, sensitive data at rest is encrypted where appropriate. For example, if any personal data were stored in our database, we use encryption at rest on our cloud storage. Your private keys and passkeys are always encrypted and stored on your device’s secure storage (like the Secure Enclave or Android Keystore) – they never touch our servers in unencrypted form (indeed, they never touch our servers at all).

Access Controls: Within our organization, access to systems that contain any user data is limited to authorized personnel who need it to perform their job (principle of least privilege). For example, only a couple of key engineers/devops can access the server logs, and support staff can access support tickets. All access is protected by strong authentication (e.g., multi-factor authentication) and logged for auditing. We train our team about data security and privacy best practices.

Secure Development: We follow secure coding practices and conduct code reviews. The smart contracts and application code underlying walllet are audited for security issues. We keep our software dependencies updated to patch security vulnerabilities. We may also run a bug bounty or engage external security testers to find any weaknesses.

Network and Infrastructure Security: Our servers are hosted in secure facilities (like AWS data centers) that have robust physical security. We use firewalls and network segmentation to protect our environment. Services are configured with security in mind (e.g., restricting inbound access, using private networks for internal communication, etc.). We monitor for intrusions or anomalies in our infrastructure.

Third-Party Security: We vet the security of third-party providers we use. For example, we choose providers with a strong security reputation and compliance certifications (AWS has numerous security certifications, Intercom and Google Analytics similarly have enterprise-grade security). We ensure through contracts or assessments that these providers will protect data to high standards.

Incident Response: We have a process in place to handle any data security incidents. If we detect a breach or unauthorized access affecting personal data, we will investigate promptly and take appropriate action, including notifying users or authorities as required by law. We aim for transparency in such events.